Halloween is here – time for kids to go trick-or-treating, for teens to visit haunted houses, and for Americans to spend nearly $7 billion on costumes, candy and decorations. Halloween is a big business, second only to the Christmas holidays. And while it seems like it’s all fun and games, there’s something even scarier than the latest burnt zombie or evil clown costume: cybercrime. That’s why it’s no coincidence that October is National Cyber Security Awareness Month.
A recent survey1 found that by 2020, 100% of large enterprises will be asked to report to their boards of directors on cybersecurity and technology risk at least annually, which is an increase from today’s 40%. The same survey found that 30% of organizations targeted by major cyberattacks2 will spend more than two months cleansing backup systems and data, resulting in delayed recoveries
Sadly, organizations rarely know that their IT environments have been breached until it is too late. Witness the Democratic National Committee (DNC), which had been hacked almost a year before the DNC discovered it had been compromised. A successful cyberattack can shut down operations – not just for a few hours, but for multiple days and weeks. The collateral damage, such as information leaks, reputational damage and so on, can continue for much longer. And while 34% of organizations think they will be affected by a cybercrime during the next two years, only 37% of organizations have a cyber-incident response plan.
That’s why CIOs are scratching their heads for a way to counter cyber spooks. I recently spoke about four best practices for BCM leaders at the Continuity Insights conference in New York City. Here’s what I told the audience:
- Replace Legacy BCM Solutions. In today’s cyber-sensitive world, Microsoft SharePoint and Office no longer cut it. The days of plans as static documents and Business Impact Analysis as spreadsheets is over. Based on the Gartner 2015 Security and Risk Management Survey2, only 46% of surveyed organizations own Business Continuity Management Planning software, 52% own crisis or incident management software. That’s cutting it too close. Organizations need to find newer business continuity management solutions and get rid of older systems that are too prone to hacking.
- Extend Beyond Compliance. Building a brilliantly successful business continuity program means changing the culture in your company to one of engagement outside of the business continuity team. According to the Gartner Magic Quadrant, July 11, 2016, “Business leaders are demanding broader participation in the BCM process to ensure increased confidence that recovery planning will lead to better outcomes.” Take advantage of the resources you have in-house and work with compliance experts as necessary to ensure you have all the bases covered, not just to check the boxes but to go beyond the requirements.
- Prepare Cyber Incident Response Plans. Cyber incident response plans must be tailored for the 21st century business continuity program. Technical and business interdependencies must be pre-established and easily visualized. When an event happens, the response team must be able to know, quickly and easily, what are the upstream and downstream effects of the disruption. Exactly what systems, offices, suppliers and distributors are affected by the event? There needs to be a dynamically created checklist that walks the team through whatever steps need to be taken to respond. Check out this Cyber Incident Management video webinar for more details on how this should work.
- Collaborate with InfoSec. Involve your information security teams in business continuity planning. Give them access to your Business Continuity Management software, let them develop cyber incident plans, help them establish clear roles and responsibilities, and test your plans with the InfoSec teams. And debrief each other after incidents together. This way, everyone has a stake in the game.
Cyber security is now a major concern for organizations as a whole, whereas threats used to be confined to IT departments. Yet the need for a solid business continuity plan is typically an afterthought. Cyber-attacks often disrupt business services, and there are serious consequences to consider – including reputational damage and even potentially legal repercussions. Cyber security is no longer simply an IT challenge; it’s an issue that affects every aspect of a business. And if that doesn’t send chills down your spine – it should.
1Gartner, “Prepare for and Respond to a Business Disruption After an Aggressive Cyber Attack,” Roberta J. Witty, John P Morency, Rob McMillan, Robert Rhame, 1 April 2016.
2Gartner Magic Quadrant for Business Continuity Management Planning Software, Worldwide, Roberta J. Witty, John P Morency, 11 July 2016.